On 30/06, shawn wilson wrote:>% cat ext_rsa.pub| sed -r 's/.*(AAAA[^ ]+).*/\1/' | sha256sum > > ~/.ssh swlap1 >d4bf8b06f2d9d9af7a11583a5367205ed310a84f0dee68d062e2ddca1e85c3ff - > % ssh-keygen -lf ext_rsa.pub > > ~/.ssh swlap1 >8192 SHA256:FgrfxmdjTM/j4wwRa7nVdPSUaJdqHYMJtJ6aciPl9ug swilson at swlap1 (RSA) > >Why do those differ and how would i generate the equivalent (mainly >just curious)? I've also tried base64 and a few other substitutions at >the end and I can't get them to match (probably would save time to >just look at the code, but...).It's not simply a checksum of the key file. You need to extract the exponent and prime from the public key, then append those to a specific string of bits, then get a SHA256 digest of that, and then base64 encode that. https://github.com/kyrias/bin/blob/master/ssh-gen-fprint has an example implementation of `ssh-keygen -lf` in Ruby. -- Sincerely, Johannes L?thberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1495 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150630/e5ec7267/attachment.bin>
You really don't need openssl for that. And the fingerprints are simple. Here is a python script that do the same as ssh-keygen -fl /path/to/key : #!/usr/bin/env python3 import binascii import hashlib import sys if __name__ == "__main__": key = binascii.a2b_base64(sys.argv[1]) if sys.argv[2] == "md5": m = hashlib.new("md5") m.update(key) print(m.hexdigest()) elif sys.argv[2] == "sha256": m = hashlib.new("sha256") m.update(key) print(binascii.b2a_base64(m.digest()).decode("utf8")[0:-1]) Do use it in production, do some test, but the general idea is there. Cheers, On Tue, 30 Jun 2015 16:12:03 +0200 Johannes L?thberg <johannes at kyriasis.com> wrote:> On 30/06, Johannes L?thberg wrote: > >On 30/06, shawn wilson wrote: > >>% cat ext_rsa.pub| sed -r 's/.*(AAAA[^ ]+).*/\1/' | sha256sum > >> > >> ~/.ssh swlap1 > >>d4bf8b06f2d9d9af7a11583a5367205ed310a84f0dee68d062e2ddca1e85c3ff - > >>% ssh-keygen -lf ext_rsa.pub > >> > >> ~/.ssh swlap1 > >>8192 SHA256:FgrfxmdjTM/j4wwRa7nVdPSUaJdqHYMJtJ6aciPl9ug swilson at swlap1 (RSA) > >> > >>Why do those differ and how would i generate the equivalent (mainly > >>just curious)? I've also tried base64 and a few other substitutions at > >>the end and I can't get them to match (probably would save time to > >>just look at the code, but...). > > > >It's not simply a checksum of the key file. You need to extract the > >exponent and prime from the public key, then append those to a > >specific string of bits, then get a SHA256 digest of that, and then > >base64 encode that. > > > >https://github.com/kyrias/bin/blob/master/ssh-gen-fprint has an > >example implementation of `ssh-keygen -lf` in Ruby. > > > > Oh, and support for ECC keys aren't implemented because OpenSSL doesn't > support it yet. :/ > > -- > Sincerely, > Johannes L?thberg > PGP Key ID: 0x50FB9B273A9D0BB5 > https://theos.kyriasis.com/~kyrias/-- Emmanuel Vadot <elbarto at bocal.org>
On Tue, Jun 30, 2015 at 10:12 AM, Johannes L?thberg <johannes at kyriasis.com> wrote:> On 30/06, Johannes L?thberg wrote: >> >> On 30/06, shawn wilson wrote: >>> >>> % cat ext_rsa.pub| sed -r 's/.*(AAAA[^ ]+).*/\1/' | sha256sum >>> >>> ~/.ssh swlap1 >>> d4bf8b06f2d9d9af7a11583a5367205ed310a84f0dee68d062e2ddca1e85c3ff - >>> % ssh-keygen -lf ext_rsa.pub >>> >>> ~/.ssh swlap1 >>> 8192 SHA256:FgrfxmdjTM/j4wwRa7nVdPSUaJdqHYMJtJ6aciPl9ug swilson at swlap1 >>> (RSA) >>> >>> Why do those differ and how would i generate the equivalent (mainly >>> just curious)? I've also tried base64 and a few other substitutions at >>> the end and I can't get them to match (probably would save time to >>> just look at the code, but...). >> >> >> It's not simply a checksum of the key file. You need to extract the >> exponent and prime from the public key, then append those to a specific >> string of bits, then get a SHA256 digest of that, and then base64 encode >> that. >> >> https://github.com/kyrias/bin/blob/master/ssh-gen-fprint has an example >> implementation of `ssh-keygen -lf` in Ruby. >> > > Oh, and support for ECC keys aren't implemented because OpenSSL doesn't > support it yet. :/ >Heh, I noticed that- makes sense :) And thanks